Network::Windows::IIS Authentication
How IIS Authenticates Users
This looks like a good article. It even includes some packet level trace examples.
http://support.microsoft.com/default.aspx?scid=kb;[LN];264921
Interested in Windows, Networking, Cisco, HTML, Powershell, Perl, Outlook, Exchange, Troubleshooting
12/18/2002
Exchange::Server::Setup
Failures during Exchange Setup
The confusing part is "setup" is also the procedure you do to remove an application so troubleshooting problems during "uninstall" or "remove" issues you also need to search for errors during "setup."
Exchange 2000 Server Setup Fails with Error 0x80070422
http://support.microsoft.com/default.aspx?scid=kb;[LN];295623
Exchange::Outlook Web Access
Troubleshooting Outlook Web Access
There is an excellent white paper with OWA troubleshooting info at:
http://support.microsoft.com/default.aspx?scid=/support/exchange/content/whitepapers/owa_tshoot.asp
12/17/2002
Perl::Citrix::Internet::Network::Server Failover
Background
Internally we use a Citrix server farm to provide desktop and application services to our small remote offices for business hours operation. The server farm also provides these desktop and application services to all our users for after hours remote access. The server farm provides application load balancing based on server load at the time the user makes a connection.
The published applications and load balancing is provided by a Citrix ICA Browser server process. The server that runs this process is "elected" by the servers in the farm. So, when the server providing this function goes down, it is picked up by another.
Inside our network our remote offices access the Citrix farm via the Citrix client configured with a published application.
From the internet our remote users access the server via their web browser which launches a client plugin. The web page used for this access is configured for the published application and must specify the outside IP address of the Citrix ICA Browser.
The Problem
If the primary Citrix ICA Browser server is down then the Citrix desktop is not accessible from the internet since the web page provided to users must include a specific IP number.
Workaround
I considered a number of workarounds/solutions. On the front end, round robin DNS or "load balancing the DNS name" would still result in failure when it happens to direct the user to the IP address of the down server. On the back end, Windows Network Load Balancing would theoretically work okay for only Windows Terminal Services. However, it does not work with Citrix server farm. This is because for some reason the ICA browser service doesn't always bind with the Windows Network Load Balancing network adapter, according to this news posting.
I ended up with a simple idea - have my web server present a different web page with a different IP address to the user if the primary server is down. Using Perl I created a surprisingly simple script that will check for response on the ICA service port on the primary server, if it doesn't response it will check for response on another server, if that server doesn't respond the user get's a web page telling them that the server is unavailable.
I haven't pursued the idea of "load balancing" using this method. The jist of it would be to start with a different server each time alternating between a list of servers. This concept would be useful for other services/ports.
The script is below:
#!/usr/local/bin/perl
use IO::Socket;
#ICA server is at port 1494
$port = ("1494");
#change a.b.c.d & w.x.y.z to your hosts' ip numbers
$primary = "a.b.c.d";
$secondary = "w.x.y.z";
#Check Primary
$connected = 0;
$checkport = IO::Socket::INET->new(
PeerAddr => "$primary",
PeerPort => "$port",
Proto => 'tcp',
Timeout => '0') or $connected = 1;
if (!($connected)) {
#port is up, assign $link to the HTML for a link to the file for this server.
$link = "<a href=\"file1.ica\"><img src=\"icon.jpg\"></a>";
}
else {
#port is down, check secondary
$connected = 0;
$checkport = IO::Socket::INET->new(
PeerAddr => "$secondary",
PeerPort => "$port",
Proto => 'tcp',
Timeout => '0') or $connected = 1;
if (!($connected)) {
#port is up, assign $link to the HTML for a link to the file for the next server.
$link = "<a href=\"file2.ica\"\"><img src=\"icon.jpg\"></a>";
}
else {
#port is down, first two servers are down - there has been a noticably long timout by now
#assign $link with HTML error message.
$link = "<P>Remote Desktop is unavailable.<BR>Please call the support line or<BR><a href=\"mailto://helpdesk\@mycompany.com\">e-mail support</a></P>";
}
}
close $checkport;
#merge variable with template
#the html template contains variable name enclosed by double angle brackets. i.e. <<$link>>
print "Content-type: text/html\n\n";
# Read HTML from template.
merge_file("\\wwwroot\\templates\\remote.html");
exit;
sub merge_file {
# Read HTML from template.
my $template_file = shift;
open(TEMPLATE, $template_file) or print "Error opening $template_file $!";
# temporarily disable "uninitialized value" warnings
$^W = 0;
while () {s/<<(.*?)>>/$1/eeg; print;}
$^W = 1;
close(TEMPLATE);
}
Send me an e-mail with your comments or questions.
Windows::Security::Registry::XUPITER
Xupiter Toolbar Troubles
One of our users got this Xupiter toolbar thingy loaded in her IE the other day. Probably automatically installed ActiveX thing or else she did it herself and denies it now. This thing just totally messes up IE so it won't hardly load any pages from anywhere, messes up home page, search settings, etc.
HOW TO REMOVE IT
- Edit the registry and go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Delete the 'XupiterStartup' entry.
- Open a DOS command prompt deregister the files:
cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\Xupiter\Updates\XupiterToolbar.dll"
regsvr32 /u "C:\Program Files\Xupiter\Updates\XTUpdate.dll"
regsvr32 /u "C:\Program Files\Xupiter\Updates\XTSearch.dll"
- Restart the computer
- Delete the Xupiter folder in Program Files.
- Delete the registry keys:
HKEY_CURRENT_USER\Software\Xupiter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}
12/13/2002
Windows NT/2K::Registry::Service Control
PROBLEM: Gettings stuck starting/stopping services or modifying the service state
A few times I got stuck changing the service "state" (manual/disabled/automatic) or stopping a service. I'm not sure what might cause this to happen, perhaps a dependant service is not stopped first or a prerequisite service is not started yet. But I get left with "stopping" as the status and it never goes away. To work around this for troublshooting I change service state in the registry and restart.
Service entries in the registry:
These are found under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
The keys below that roughly correspond to services listed under control panel > services.
The value to change: Start
(The data type is REG_DWORD
The value can be:
0 = Boot
1 = System
2 = Automatic
3 = Manual
4 = Disabled
Drivers will have the Boot & System values. 2,3,4 correspond to the values we set through the normal interface.
E-Mail::Spam::Security::Open Relay Testing
Test your mail system to ensure you are not an open relay.
Don't be a spam sending zombie.
http://www.abuse.net/relay.html
http://www.ordb.org/submit/
http://www.paladincorp.com.au/unix/spam/spamlart/
12/12/2002
Windows 9x/NT/2k::Security::Registry
Registry keys to lock down settings users are allowed to change in IE for Win2K haven't changed since IE5 on Win98:
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"Advanced"=dword:00000000
"HomePage"=dword:00000000
"Cache"=dword:00000000
"History"=dword:00000000
"Colors"=dword:00000000
"links"=dword:00000000
"Fonts"=dword:00000000
"Languages"=dword:00000000
"Accessibility"=dword:00000000
"Connwiz Admin Lock"=dword:00000000
"Connection Settings"=dword:00000000
"Proxy"=dword:00000001
"Autoconfig"=dword:00000001
"Ratings"=dword:00000000
"Certificates"=dword:00000000
"Profiles"=dword:00000000
"FormSuggest"=dword:00000001
"FormSuggest Passwords"=dword:00000001
"Messaging"=dword:00000000
"CalendarContact"=dword:00000000
"ResetWebSettings"=dword:00000000
"Check_If_Default"=dword:00000000
"GeneralTab"=dword:00000000
"SecurityTab"=dword:00000000
"ContentTab"=dword:00000000
"ConnectionsTab"=dword:00000000
"ProgramsTab"=dword:00000000
"AdvancedTab"=dword:00000000
Values of zero = allow, one=restrict
Network::Security::More on Peer to Peer File Sharing Clients
(There is lots of great info at http://www.oofle.com )
From: http://www.oofle.com/iptables/filesharing.html
KaZaA Media Desktop and Grokster
Built on the FastTrack filesharing technology, KaZaA has been one of the most popular applications in the world, especially after many Morpheus users came to KaZaA after the Morpheus changeover to Gnutella. I first saw KaZaA a little over 2 years ago, and thought that it was a "decent" implementation as far as how well it worked, but I saw that there weren't very many users on it at the time. Then, a little application called Morpheus came along that was better than the KaZaA client and made the FastTrack network very popular, and made more files available to KaZaA users.
Connection Behavior:
KaZaA and Grokster have pretty much the same connection behavior. First off, as in the case of most file sharing clients, they connect up to a centralized server. Then, this gives you the search functionality in the client, and once you have searched for a client to download your file from, it creates a connection on TCP port 1214 of the remote host (sometimes your port 1214 and takes an incoming connection), and starts sending/receiving the file. Blocking access to the KaZaA amd Grokster networks and to port 1214 will dump all access to them. I'm working on a way to try to do this without a port block, but it's not looking too good so far. Another potential is to allow connections from ports 80 and 53 to 1214, but not allowing any other connections to 1214. This would at least remove the chance of a web connection or DNS connection landing on 1214 and being dumped.
AudioGalaxy
AudioGalaxy is an interesting sort of file sharing program. First off, the application with which you download files from the AudioGalaxy network does not contain a search function. It is, I believe, the only major application that is built this way currently. Instead of searching within the app and bloating things, AudioGalaxy chooses to have users log in to their webpage, and then do search functions within the web, and download files from there. AudioGalaxy is pretty much all around a little different compared to it's competitors, and that's why it, for a while and still in some places, has been a huge problem. AudioGalaxy still generates a lot of the filesharing traffic on the internet, and is the lone major competitor to Morpheus and KaZaA.
Connection Behavior:
AudioGalaxy is a bit different of a file sharing application when it comes to connections. There is one main similarity in this app and the rest of the apps, but even in this similarity there is a difference. First off, the similarity is the fact that the AudioGalaxy client, called a Satellite, connects to central servers on AudioGalaxy's networks, 64.245.58.0/24 and 64.245.59.0/24, or collectively 64.245.58.0/23, but the way it connects is a little interesting. AudioGalaxy chooses an interesting port to have their servers listen on, port 21, commonly associated with FTP. I assume the reasoning behind this, is 1.) hide the connections to the servers, and 2.) make it so that a user cannot block server connections without dumping vital services. Well, this is somewhat the case, but there is another interesting thing about AudioGalaxy, that is, the ports that it chooses to transfer files over. This app chooses to, instead of having one static port for connections, or a few commonly used ports (i.e. 6699 and 6698, etc. on Napster), has one wide range of available ports. But, there is a little hope in this, as this range of ports is quite a high range although a large number. The range AudioGalaxy uses is ports 41000 through 41999, or one thousand ports. The serving client will choose a port in this range, contact the server, and the server will tell the downloading client where to find this awaiting machine and port at to start the download. So, if we want to block AudioGalaxy, it is actually very simple. Stop the users from reaching the AudioGalaxy network, not only do we stop the connections to the servers, but we stop search functionality and every other portion of the AudioGalaxy operation.
12/11/2002
Windows NT::Recovery Console
To get into recovery console you have to have the local administrator password. You might not remember this on a domain controller.
This really bites. You need the administrator password from when you installed Win2K (before you promoted it to DC.)
If I ever get this server back up I'm going to change this password to something we know. (What the "consultant" told us doesn't work.)
http://support.microsoft.com/default.aspx?scid=kb;en-us;239803
Network::Firewall::Packet Level::RealNetworks
Playing around with open ports and firewall rules.
RealNetworks has a good testing site: http://service.real.com/test
RealNetworks content servers and clients use the following communications:
Usually it is initiated by HTTP (such as access to a *.RAM file which really is a single line text file pointing to the real file or stream.)
Then it uses HTTP, RTSP (Real Time Streaming Protocol), or PNA protocols for streaming
Ports:
TCP 554 (RTSP) -> <- UDP 6970-32000
or TCP 7070 -> real audio <- UDP 6970-7170
RealPlayer, RealOne, ...
I'm starting to despise all the "Real_____whatever____" products. They are so huge and have built in web browser with it's own security bugs/etc. I just want the little realplayer we used to have (maybe ver 4) that downloaded on even a slow dialup connection within a reasonable time and installed in a snap.
Besides RealAudio uses kind of ugly network communications. Too many ports and options. Firewall is almost a guarantee that somebody's real___ server somewhere won't work for us.
Using MS ISA (another over featured bloated mess) just for "caching" (MS-PROXY 2.0 was a perfected product, so they just had to trash it all and write a huge, messy, buggy thing.)
Anyway, using ISA for caching only and turning on the requirement that only authenticated users can get out to the web I am having problems with RealPlayer 8-9, RealOne 1-2. It doesn't behave nicely when it comes to authenticating the user.
I can't decide if RealNetworks is too lame and/or lazy to fix their stuff or if Microsoft is just being a pain to try to push RealNet out.
An "almost hit" on my issue is at http://support.microsoft.com/default.aspx?scid=kb;[LN];288734
Sometimes (and some users) get a logon prompt and it will work if the user logs in (but it's still a pain and people are whining.) But other times it just returns "access denied" without presenting any logon prompt.
Windows 2K/NT::Security::Cached Credentials
By default, Windows saves the credentials of the last 10 users to logon from a workstation. This allows me, for example, to take my laptop home and logon locally using my domain logon & password allowing me to work with local resources using the same profile that I use at work.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
Data Type: REG_SZ
Set to 0 to disable caching credentials.
Set to 1 to just save the last one.
12/10/2002
Windows::Autologon
Enable Automatic Logon in Windows 2000
This option is not available for Windows 2000 Server or Advanced Server.
Preventing the Password Prompt in a Non-domain System
- In Control Panel, double-click
Users and Passwords.
- Click to clear the Users must enter a user name and password to use this computer check box.
NOTE: This option does not appear on a system that is a member of a domain.
- Click the Advanced tab.
- Click to clear the Require users to press Ctrl-Alt-Del before logging on check box.
Enabling Automatic Logon on a Member Workstation
WARNING: This will likely be a serious security problem. Anyone booting this system with this registry modification will be logged on to the system with the user's security credentials.
- Start Regedt32.exe and locate the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Establish your domain name, account name, and password, using the values you would normally type when logging on. You should assign the following values: DefaultDomainName, DefaultUserName, and DefaultPassword.
NOTE: The DefaultDomainName and DefaultUserName values may already exist. The DefaultPassword value may not. If it does not, create it. To do so:- On the Edit menu, click Add Value.
- In the Value Name box, type DefaultPassword.
- In the Data Type box, click REG_SZ.
- Click OK.
- In the String Editor box, type your password. Click OK and save your changes.
NOTE: If no DefaultPassword string is specified, Windows automatically changes the value of the AutoAdminLogon key from 1 (true) to 0 (false). This disables the AutoAdminLogon feature. This behavior also occurs if the DefaultPassword string is specified but the password is left blank or null.
- On the Edit menu, click Add Value. Type AutoAdminLogon in the Value Name box. Click REG_SZ in the Data Type box. Enter 1 in the String box. Save your changes.
- Quit Regedt32.exe.
- Shut down Windows and turn off the computer.
- Restart your computer and Windows 2000. You should be able to log on automatically now.
From Microsoft Support Article 234562
12/09/2002
Security::Virus/worm::Friend Greeting
They ought to track down these people and spam everybody in their address books!
If you haven't already been stuck by this issue, it is interesting. They are presently hosted on UUNET. Complain about this to: abuse-mail@wcom.com
For info on blocking URL's and IP addresses see:
http://securityresponse.symantec.com/avcenter/venc/data/friendgreetings.html
And check back often as the list is updated. (It has new information since just a couple days ago.)
Networking::TCPIP::Unassigned Addresses
Address spaces that are unassigned and designated for internal use.
These addresses are not allowed to be routed on the internet. Although I've run across some odd situations that turned out to be problems resulting from an ISP routing one of these.
http://www.safety.net/sum1597.html
Networking::Wireless::VoIP::Network Management
Notes from Networking Decisions conference.
- We got a great deal since all meals but one were provided free and they paid two of my three hotel nights. And although the conference was free they had VP's and officers of network companies there speaking about network topics and talks from analysts from Gartner, Giga, and Yankee group. The sessions were very focused on technology and there were no "unadvertised" sales pitches.
- The same company is having an Enterprise Windows conference in a similar format at the same location next May. I think we could benefit from attending it as well.
- The Network conference focused on wireless technologies, Voice over IP, and network management.
- NETWORK MANAGEMENT: I was disappointed by the small amount of coverage of network management. But there were a couple good presentations and networking opportunities to talk with others about how they did stuff. And I saw some amazing products - one a "network management appliance" for just $2999 that can be setup to monitor services/devices and alert us when there is trouble. We are doing this now using cheap software and freeware, but this device brings it all together into one small machine that can do more.
-WIRELESS LAN: I got a good understanding of the technologies available for wireless LAN setup.
- The most manageable would be to install antennas in various locations above the ceiling and cable them back to wireless access points in a closet rack. This provides central maintenance and upgrade of the wireless access points.
- There are a good number of security issues. When setting up authentication there are other issues requiring additional hardware/software to provide for "roaming" between access points/etc.
- I don't have a detailed cost analysis, but my impression was that setting up a wireless LAN "right" would cost at least as much as a wired LAN - and you get less performance. I'm sure there are environments where the need for mobility outweighs cost and performance.
- I don't see any advantage to using a wireless LAN for "day to day" needs at my company.
- One idea though would be to provide a wireless internet "hot spot" in conf room(s)for client use in connecting back to their offices or for internet presentations with special furnature arrangement needs. To provide this securely would require cabling all the antennas to access points in the network closets and have them all terminated at a single network segment that is totally separate from ours and connect it directly to it's own firewall interface. This would require additional uplink ports on closet switches and/or cabling runs from the conference rooms on each floor into the datacenter.
- WIRELESS WAN: There continues to be a proliferation of new devices. Blackberry seems to me to continue to be the most suitable and convenient device for getting e-mail and basic PIM functions. Blackberry has a combo phone device and is coming out with an international phone/Blackberry device. Most cost benefit from palmtop computers(like Ipaq) seems to be with custom applications for veritical markets like sales and inventory management - low bandwidth transfers of transaction data and reference numbers. Since the HP/Compaq merger, the Ipaq will continue to be branded as Ipaq and HP palm devices will fade away.
- VOICE OVER IP - This point was brought out repeatedly: VOIP will fail without a thorough network evaluation and implementation of quality of service switches. VOIP causes drastic changes in network utilization and requires specialized skills and equipment to monitor and manage the resulting network traffic.
- VOIP continues to remain in a very long "early adopter" phase. The Gartner analyst projected that by 2008, 20% of new phone switch sales will be VOIP. The Gartner analyst predicted that in our present economy few companies will upgrade to VOIP since, in the best case, we are spending a lot of money just to give users what they already have. Whereas in a realistic case, the resulting user functions may turn out to be fewer and less robust, and numerous problems will be encountered and must be overcome in the process. So user perception would be that the project interrupted their business and cost money to achieve fewer features and more problems.
- What we would need to do to prepare:
- Training! - for telecom people, for data network people, for network admins. All of these positions will be affected by VOIP and all the staff in these positions will be "taken out of their comfort zone."
- Add a "Policy" switch to each closet and implement quality of service features on LAN switches
- Find out what IP capabilities our phone switch has, how "upgradable" it is for use with VOIP.
- I believe the Optiset phones we are replacing our Rolm phones with have an option to upgrade them by changing out the modules in the phones. Existing phones would have to be upgraded and remaining Rolm phones replaced with Optiset IP phones.
- Other presentations brought out that "Back office" opportunities may present themselves to position us for a future migration to VOIP. And some VOIP functions might become attractive for WAN voice.
- I believe we should continue making small steps in that direction so that hopefully next time we need to replace the FAX server we could implement Universal Messaging. I believe we could avoid repurchasing T1 cards and achieve a server hardware savings on the replacement FAX server (and our voicemail is in need of replacement now.) Universal Messaging could also provide us with a graphical interface into our phone mail options and deliver phonemail into our Outlook mailbox where they can be backed up daily. This would migrate us away from our old phonemail machines and eliminate contention for channels to the phonemail since internal calls wilould access voicemail access over the LAN instead of the voice channels from the phone switch.
12/06/2002
Windows::Registry
For Windows 2000 & Windows XP, there is a commandline registry tool, REG.EXE
REG Operation [Parameter List]
Operation [ QUERY | ADD | DELETE | COPY |
SAVE | LOAD | UNLOAD | RESTORE |
COMPARE | EXPORT | IMPORT ]
Return Code: (Except of REG COMPARE)
0 - Succussful
1 - Failed
For help on a specific operation type:
REG Operation /?
Examples:
REG QUERY /?
REG ADD /?
REG DELETE /?
REG COPY /?
REG SAVE /?
REG RESTORE /?
REG LOAD /?
REG UNLOAD /?
REG COMPARE /?
REG EXPORT /?
REG IMPORT /?
Security:Virus::KLEZ
Symantec Security Response - a wealth of information is available from all the big antivirus vendors.
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html Cleaning tools available free - worked like a charm.
Free online virus scan!
http://housecall.trendmicro.com/housecall/start_corp.asp
Patch Outlook!
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
Security::Virus::VPN
"Nothing Works!"
NOTHING WORKS! I hear that from people all the time when describing their computer problems. A recent experience with a high profile user's home computer has provided me with some insights and downright fear about future security.
When I visited his home and sat down at his computer I learned that it was true NOTHING WORKED! Got logged in to XP okay, but every shortcut I clicked, "can't find ...." I tried START > RUN > IEXPLORE -> "can't find ..." Then I tried RUN > CMD.EXE -> didn't work. But, RUN > COMMAND.COM worked okay. I went directly to the WINDOWS\SYSTEM32 directory and ran CMD.EXE from the COMMAND shell and it worked fine. (I then had support for long file/directory names and other items I missed greatly under the DOS5 shell clone of COMMAND.COM.) At my CMD prompt I went to C:\PROGRAM FILES\INTERNET EXPLORER and ran IEXPLORE.EXE and it worked! Then I proceeded on an interesting journey of recovery and I had a long time to think about life during reboots and virus scans. During my contemplation, as it all sunk in, I've changed my mind about wanting VPN access for our network. This person was infected with a Klez variant virus. After several hours of work cleaning up the virus almost everything is back to normal. Reading all the vendor propaganda about VPN you would think that the level of encryption of the tunnel is the only security issue with VPN. However, imagine that you have a VPN open to all your employees. Further imagine this big shot bought a new computer and cable modem for Christmas and never installs a personal firewall and then a few weeks later his trial version of NAV expire and gets infected with a virus. This could be a virus or trojan that attaches to available network shares and copies itself there or infects or damages those files. It could be a trojan that sends copies of files or other information to people in the address book or uploads them to a hackers machine. Or it could make his machine a zombie for hackers to take over. We barely have control over user installing and reconfiguring our company computers, we definitely have no control over what mess that home computers might be in. And when you read about companies that have a VPN, but only allow it from company computers, and don't allow personal software installed on company computers.... That "policy" just would make a VPN in our organization not worth the capability. If we have to take our computer with us, then this really wouldn't be as widely useful in our situation. And who is going to police those policies? If we were a huge corporation and hardly ever got ahold of sales persons laptops there would still be very little control over what they did to them.
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
12/04/2002
Security::Firewall::Blocking Peer-to-Peer file sharing
P2P network client software is the spawn of S A T A N
I am fighting a constant battle with users who are dedicated to screwing up their computers and flooding our network.
Block the sites
SurfControl category is setup for blocking access to websites related to peer to peer file sharing tools and activities.
Blocking P2P traffic
Blocking ports at firewall(both TCP & UDP)
1214 - Kazaa & Morpheus
6346, 6347 - Gnutella/Limewire
1088 - Audio Galaxy - also uses ftp on ports: 21 and 41000+ which are not feasible to block. So I'm consider blocking outbound to server(s.) I need to find a good way to locate where those servers are and hope they are in the same subnet.
How to Configure an Authoritative Time Server in Windows 2000
Windows includes the W32Time Time service tool that is required by the Kerberos authentication protocol. The purpose of the Time service is to ensure that all computers that are running Windows 2000 or later in an organization use a common time. The Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.
Windows-based computers use the following hierarchy by default:
All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
All member servers follow the same process as client desktop computers.
Domain controllers may nominate the primary domain controller (PDC) operations master as their in-bound time partner but may use a parent domain controller based on stratum numbering.
All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.
Following this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization, and you should configure the PDC operations master to gather the time from an external source. This is logged in the System event log on the computer as event ID 62. Administrators can configure the Time service on the PDC operations master at the root of the forest to recognize an external Simple Network Time Protocol (SNTP) time server as authoritative by using the following net time command, where server_list is the server list:
net time /setsntp:server_list
There are several SNTP time servers run by the U.S. Naval Observatory that are satisfactory for this function, for example:
ntp2.usno.navy.mil at 192.5.41.209
tock.usno.navy.mil at 192.5.41.41
After you set the SNTP time server as authoritative, run the following command on a computer other than the domain controller to reset the local computer's time against the authoritative time server:
net time /set
More information about the net time command is available at a command prompt if you type the following command:
net time /?
SNTP defaults to using User Datagram Protocol (UDP) port 123. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers.
From: Microsoft KB http://support.microsoft.com/default.aspx?scid=kb;EN-US;216734
Time Services White Paper: http://www.microsoft.com/windows2000/docs/wintimeserv.doc
12/02/2002
VoIP::Network::Management Tools
Network assessment prior to VoIP deployment is critical to sidestep failure of the entire project.
And Network Management will have a renewed urgency when VoIP is in the picture.
I just came across these products. Haven't used them, but will review them if I ever need to plan for a VoIP installation.
ViViNet: Assessor, Diagnostics, and Manager
http://www.netiq.com/products/va/default.asp
Subscribe to:
Posts (Atom)